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Multiplication in Cyclotomic Rings and its 
Application to Finite Fields 

Francisco Argiiello 

Abstract 

A representation of finite fields that has proved useful when imple- 
menting finite field arithmetic in hardware is based on an isomorphism 
between subrings and fields. In this paper, we present an unified formu- 
lation for multiplication in cyclotomic rings and cyclotomic fields in that 
most arithmetic operations are done on vectors. From this formulation 
we can generate optimized algorithms for multiplication. For example, 
one of the proposed algorithms requires approximately half the number 
of coordinate-level multiplications at the expense of extra coordinate-level 
additions. Our method is then applied to the finite fields GF{q"^) to further 
reduce the number of operations. We then present optimized algorithms 
for multiplication in finite fields with type-I and type-II optimal normal 
bases. 



Keywords: Cyclotomic ring. Finite field, Galois field. Normal basis. Redun- 
dant basis. Multiplier. 

1 Introduction 

Recently, there has been a good deal of interest in developing hardware and 
software methods for implementing the finite field GF[q"^) arithmetic operations 
particularly for cryptographic applications [1], [2], [3]. Multiplication in finite 
fields is a complicated and time-consuming operation that very much depends on 
how the field elements are represented. A representation of finite fields that has 
proved useful when implementing finite field arithmetic in hardware is based on 
an isomorphism between subrings and fields. The main idea is to embed a field 
in a larger ring, perform multiplication there, and then convert the result back 
to the field. The ring used is referred to as cyclotomic, because has an extremely 
simple basis whose elements form a cyclic group. Because the dimension of the 
ring is higher than that of the field, this representation is referred to as redundant. 
Having in mind the design of efficient arithmetic circuits, it is desirable to find 
the ring of lowest dimension with the property that the finite field is contained in 
the ring. This way of representation of finite fields has been explored by various 
authors m, [5], [6], [7|, [8], [9], [lO]. 

Drolet [5] represents the finite field GF(2"^) as a subring of the cyclotomic ring 
GF(2) [x]/(x" + 1) with the integer n chosen in such a way that x" + 1 G GF(2) [x] 
contains an irreducible factor of degree m. He shows that this ring representation 



of elements of the finite field satisfies a generalized Massey-Oniura condition and 
the square of an element can be obtained by applying a specific permutation to 
the bits of the word representing it. In this line, Geiselmann et al. [6] characterize 
the smallest n with GF(2)[x]/(x"' + 1) containing an isomorphic copy of GF(2'"). 

Some redundant bases can be easily introduced by the normal bases generated 
with the help of a Gauss period [11], [12]. Gao et al. [Z], [8] use Gauss periods 
for embedding the elements of the finite field in a cyclotomic field and, by doing 
so, they can find the relation/conversion between the redundant basis and the 
normal basis. This conversion can be done in hardware with almost no cost. 
There are two types of normal basis generated by Gauss periods with minimal 
complexity, usually called optimal normal bases (ONBs) of type-I and type-II, 
respectively. When there exists an ONB, very simple and highly regular multiplier 
architecture can be obtained using the redundant representation. Recently, Wu 
et al. [lOj have made this idea more explicit and present architectures that are 
suitable for hardware implementation. The basic idea is to embed the finite field 
GF(2™) in the smallest splitting field of x" + 1 over GF(2) and do the arithmetic 
in this cyclotomic field. 

In this paper, we first present an unified formulation for multiplication in 
cyclotomic rings and cyclotomic fields in that most arithmetic operations are 
done on vectors. The method is quite generic in the sense that it is not restricted 
to any special type of ground field. Our algorithms are then applied to the finite 
fields GF(g™) with q prime to further reduce the number of operations. The 
organization of the rest of this paper is as follows: In the next section, we briefly 
review the cyclotomic rings and fields. In Section 3, we derive a formulation for 
multiplication in generic cyclotomic rings/fields. We also give the computational 
complexity of the algorithms in terms of the coordinate-level operations needed. 
In section 4, we apply the method to the finite fields and then adapt it to two 
special classes of bases, namely, the type-I and type-II ONBs. Finally, we make 
a few concluding remarks in Section 5. 

2 Cyclotomic Rings and Fields 

2.1 Cyclotomic rings 

Let F be a field. The set of polynomials with coefficients in the field, F[x], with 
the usual operations of addition and multiplication of polynomials forms a ring. 
We can also consider the ring of the polynomials modulo a polynomial p{x). If we 
let (3 be the residue class of x, then the elements of F[x]/p{x) can be represented 
in the form 

A = ao + ai/3 + aa/?^ + ■ ■ ■ + a„_i/5"-\ a^ G F, (1) 



where n is the degree of p(x). That is, the elements 1, /3, /3^, . . . , /3"~^ form a true 
basis for F[x\/p{x). 

If the arithmetic is done modulo the polynomial a;" — 1 then one obtains the 
nth cydotomic ring F[x]/{x^ — l). Since a cyclotomic ring satisfies the expression 
P"' = 1, the elements l,/5,/3^, . . . , P"'~^ form a cychc group of order n with the 
following multiplication table: 

, _ / /3^+i if < z < n - 1 
^■^ ~ \ 1 ifz = n-l. ^"^^ 

As mentioned in the introduction, the key idea of the representation of GF(g"*) 
considered in [5], [6] is to represent the field GF(g'") as a subring of GF(g) [x]/{x^— 
1) with n > m and do the arithmetic operations over the ring. 

Example 1. With the usual addition and multiplication in GF(2)[x](x^ + l), the 
residue classes 0, /? + 1, /3^ + 1 and P"^ + P form a subring of GF(2) [x]/(x^ + 
1) that is isomorphic to GF(2^). The residue class /3^ + /3 serves as a 
multiplicative identity in the subring. 

2.2 Cyclotomic fields 

On the other hand, the nth cydotomic field ^\ over the field F, denoted F^"^ , is 
defined to be the splitting field of x" — 1 over F. Let /5 be a primitive nth root of 
unity in some extension of F. Then, the elements 1, /3, /9^, . . . , /?"~^ form a cyclic 
group of order n with the multiplication table ([2]). F^^^ is obtained by adjoining 
the elements generated by /? to F. We may consider the basis [1, /3, /3^, . . . , /3"~^] 
and write elements of F^"^ in the form ([1]). 

Since a cyclotomic field satisfies the equation 

1 + /? + /?2 + . . . + /5«-i = 0, (3) 

the representation is not unique, that is, each n-tuple (ao, ai, . . . , an-i), ai G F, 
gives an element of F^'^\ but different tuples may give the same element. For 
example, since ([3]) the two m-tuples (oq, ai, . . . , a„_i) and {ao+k, ai+k, . . . , a„_i+ 
k), k E F both represent the same element. 

Example 2. If Q is the field of rational numbers and n = 3, then a cyclotomic 
field Q^^-* can be obtained by adjoining a primitive cubic root of unity, /?, 
say P = (— 1 + iv3)/2, to the rational numbers Q, and the elements of 
Q^^^ can be written as A = ao + aiP + 02/^^. Note that equation ([3]) is 
satisfied and so such representation is redundant since we can also write 
A = bo + biiV3. 



As mentioned in the introduction, the basic idea in [TO] is to embed the 
finite field GF(g'^) in the smallest splitting field of x" — 1 over GF(g) and do the 



arithmetic in this cyclotomic field. Some examples are the redundant bases which 
can be generated with the help of the Gauss periods [12] . If there exists a normal 
basis Yl^ ,7'' , • • • , 7*^™ ] generated by a Gauss periods of type (m, fc), then this 
normal basis can be expressed in function of the redundant basis [/5°, /5^, . . . , /3"~^] 
as 



[7^,7^,...,70 



fc-l fc-1 

«=0 i=0 


fc-1 -| 
i=0 J 



(4) 



where n = mk + 1, a is an element of orden k of Z^ and (3 satisfies, by construc- 
tion, equations ([2]) and ([3]). 

2.3 Multiplication 

Let any two elements A,B be represented in the form ([1]), i.e., A = J27=o ^^iP^ 
and B = J27=o hP^- Since /5" = 1 (that is satisfied in both, cyclotomic rings and 
cyclotomic fields), the product C = AB can be written as, 

n—l n—1 n—1 /n—\ \ 

G = E E ^^hi^'^' = E E ^^h-^ /5^ (5) 

i=0 j=0 i=0 \i=0 / 

where the subscript j— z must be read modulo n (i.e., a„4-fc — > ajt and a_fc — > an-k)- 
Then, the coordinates of C can be calculated by 

n-l 

Cj = E «i^i-i' < j < n. (6) 

i=0 

The resulting algorithm is suitable for a bit-level hardware implementation 

nni. 



3 Algorithm for Multiplication 

In this section, we will introduce a vector-level algorithm which essentially elimi- 
nates the bit-wide inner products needed by a direct implementation of equation 
([6]). We start from the equation ([5]) and, using a similar technique to that of [15j . 
write a separate sum with the terms which have equal coordinate indexes. 



n— Ira— 1 ra— 1 n—1 n—1 

c = E E «A/5'^' = E «A/5'* + E E «^^#^' (7) 

i=0 j=0 i=0 2=0 j=0,jj^i 

n—1 n—1 n—1 

= 5:aA/5'* + EE«A+fc/5''+'. (8) 

i=0 i=0 fc=l 



In the last expression we have used that ^^j+fc _ p2i+k-n for 2i + A; > n and 
the subscripts must be read modulo n. Denoting v = [{n — 1)/2J and since the 
multiplication matrix is symmetric, we can write 



n— 1 n— 1 V 

i=0 3=1 



(9) 



i=0 



where 



V 



n~l 



E «.&.+n/2/3''+"/' = E(«*^^+n/2 + Ci^+n/2hi)(3^'^'''^ if U eveU 



j=0 





i=0 



(10) 



if ra odd. 
This equation can be rewritten if we add and subtract the term (for n odd), 

n— 1 V n—1 V 

Y: E ^^biP''"-' + T.T. a,+,k+,P''-^\ (11) 

j=0 j=0 i=0 j=0 

The last sum can be re-indexed, and then one can verify that 



n-l 



n—1 V 



i=0 j=l 



(12) 



i=0 



where 



W = < 



n even 



5] (/3^' + r^j + /3"/2 if, 

I) 
^ (p^ + p-^) if n odd. 



(13) 



i=i 



and 



^(oi + ai+n/2)ibi + &i+n/2)/?^*"^"''^ if n even 



i=0 





(14) 



if n odd. 



We can also write W = J2]=i P'' ■ Let A = J2i=o ^iP^ be any ring element. 
Then one can verify that 



n-l 



n-l 



A{1-W) = J2 (2ai - p)/3\ with p=J2 



(15) 



i=0 j=0 

Applying this expression to flT^ and by using a bit of algebra, we can obtain. 



n-l n—1 n—1 v 

i=0 i=0 i=0 i=l 



Multiplier 


#Mult 


#Doub 


#Add 


Total 


Eqs. ©,([181), rings and fields 


n' 





{n-l)n 


2^2 -n 


Eqs. (IT6I). (IT9)). rings (general) 


(n + l)n/2 


n 


(3n + l)n/2 - 1 


2^2 + 2n - 1 


Eqs. (HED, (UnD, rings (GF(2)) 


(n + l)n/2 





(3n - l)n/2 - 1 


2n^-l 


Eqs. (IT7D. (1201). fields (eeneral) 


in + l)n/2 


n 


?>{n - l)n/2 


2n' 


Eqs. (HZD, ([20]), fields (GF(2)) 


(n - l)n/2 





(3n - h)n/2 


2r? - 3n 


Direct [5j,[6j 


2 





{n — l)n 


2?T,^ — ra 



Table 1: Comparison of cyclotoniic ring/field multipliers. 



with X = — Z]^=o ^j^i- This equation applies to both cyclotomic fields and cyclo- 
tomic rings and to any ground field F . 

In the case of cyclotomic fields, we can apply the supplementary relation ([3]). 
So, in this case, we obtain the equation 



n-l 



n— 1 V 



C = 2J2 (^^b^P'' + E E(«« + ««+.)(^* + b^+J)P''^' + Z. 



17) 



=0 j=l 



Equations ([9]), ([T6l) and (TTTj) are the final results. In the next section, we will 
see how to obtain a vector-level algorithm from these equations. 

Table 1 compares the number of coordinate-level operations of the obtained 
equations with that of a direct implementation of equation i^ (for example, fig- 
ures l.a and l.b [5] , [6] , [10] ) . Equation Qj requires the same number of multipli- 
cations and additions as the direct implementation. On the other hand, equations 
( Il6]) and f[T71) require approximately half the number of coordinate-level multi- 
plications. Although this is achieved at the expense of extra coordinate-level 
additions, the total number of operations is only slightly higher than that of the 
direct implementation. Hence, these equations are advantageous for ground fields 
in which multiplication is more costly than addition. In the particular case where 
the ground field is GF(2), the number of operations is slightly lower because of 
2aibi = 0. In this case, equation (ITTI) requires the lowest number of operations. 



4 Application to finite fields 

Finally, we restrict ourselves to the particular case of n odd (for example, for 
finite fields GF(g) with q prime or power of a prime). In this case and for both 
cyclotomic rings and cyclotomic fields, equation i^ can be written as 



n— 1 [ V 

i=0 [ j=l 



'i+jO,i-jj 



0- 



2i 



where we have made the change of variables: i ^ i + j, j — > — 2j. Moreover, for 
cyclotomic rings, equation (fT6|) simphfies to 

n— 1 f ^ I 

C=J2}x + 2aibi + ^(fli+j + ai^j){bi+, + h^,) \ p^\ (19) 

i=0 [ j=l J 

with X = — Z]^=o '^i^i ^^^ V = {n — l)/2. Lastly, for cyclotomic fields, equation 
(IT7|) simplifies to 

n—l \ ^ 1 

C = ^ ^ 2a,6, + ^(a,+, + a,_,)(6,+, + 6,_,) I /32\ (20) 

i=0 [ i=i J 

Where, in the particular case of modulo 2 arithmetic, for example GF(2), 
2aibi = 0. From these equations we can develop algorithms in which most arith- 
metic operations are done on vectors instead of bits. We can make the following 
considerations: 

• The index i runs over all coordinates of the operands, and consequently the 
operations of multiplication and addition can be done on vectors. 

• The subscript i + k represents a cyclic shift of k positions with respect to 
the reference index i. It is found in the coordinates Oj+j and ai^j. 

• The square of the basis (/3^*) can simply be performed with a permutation 
since we can write for n odd, 



= [l,/3^/3^...,^-^/3,/3^...,^-2], (21) 

In this last expression, since /5" = 1, we have applied /3^-^ = (3"^^'^ if 2j > n. 
Besides, the inverse permutation represents the realization of a square root 
operation. 

Table 2 shows the data-flow of the coordinates of the variable A during the 
computation of equation (l20l) . In this table, we can see the cyclic shifts which 
have to be done in each cycle and the final permutation for obtaining C = AB. 
If this final permutation is not done, we will obtain D = \fAB. Thus, from 
equation ( ITSl) we have the following algorithm. 



Algorithm 1. Multiplication over cyclotomic rings and fields with n odd (equa- 
tion (IT81)). 
Input: A,B 
Output: D = VAB, C = AB 





ai 


02 


as 


a4 


as 


ae 


ao 


J = l 


+ 


+ 


+ 


+ 


+ 


+ 


+ 




as 


flo 


ai 


^2 


as 


a4 


as 




02 


as 


a4 


as 


ae 


ao 


ai 


J = 2 


+ 


+ 


+ 


+ 


+ 


+ 


+ 




as 


ag 


ao 


ai 


a2 


as 


a4 




as 


04 


as 


ag 


ao 


ai 


a2 


J = 3 


+ 


+ 


+ 


+ 


+ 


+ 


+ 




a^ 


as 


0-6 


ao 


ai 


a2 


as 




i 


i 


I 


i 


i 


i 


i 


D = y/AB ^ 


do 


d. 


d2 


rfs 


(i4 


d5 


d. 


C = AB^ 


Co 


C2 


C4 


ce 


Cl 


cs 


C5 



Table 2: Data-flow of the coordinates of A during the computation of equation 
mi) ioi C = AE and D = VAB with n = 7. 



1. 
2. 
3. 

4. 
5. 
6. 
7. 



Initialize Sa = A, Sb = B, v = {n — l)/2 

d = aqb 

For j = 1 to f { 

Sa « 1, 5*^ >> 1 

R=iAQSB)®iBQ Sa) 

D=D®R } 
C = sqrt_perni(Z}). 

From equations (fT9|) and ( l20l) we obtain the following algorithm. 



Algorithm 2. Multiplication over cyclotomic rings (equation (1191) ) and cyclo- 

tomic fields (equation fl20|) ) with n odd. 

Input: A, 5 

Output: D = v^AB, C = AB 

1. Initialize 5*^ = ^4, Sb = B, v = {n — l)/2 

2. D = AqB 

11 Lines 3 and 5 apply only to cyclotomic rings 

o. X ^ z^i=o ai 

4. L) = 2D 

5. D = D®{x,...,x) 

6. For j = 1 to f { 

7. 5a « 1, 5ij » 1 

8. R={A® Sa) (5 © Sb) 

9. D = D®R } 

10. C = sqrt_perm(D). 





aobo 


aibi 


a2&2 


J = l 


+ (0162 + ^102) 


+ (02^0 + hao) 


+ (aofci + boai) 


C = AB 


= Co 


= C2 


= Ci 





X = aobo + aibi + 02^2 




x+ 


x+ 


x+ 


J = l 


{ai + 02) 


(02 + Oq) 


(flQ + fll) 




x(6i +62) 


x(62 + feo) 


x(6o + 6i) 


C = A5 


= Co 


= C2 


= Ci 



(b) 



Table 3: Multiplication in a cyclotomic ring (example 3). (a) 
Algorithm 2. 



Algorithm 1. (b) 



In the above algorithms, and © denote coordinate-wise operations, for 
example, AQ B = {aobo, aibi, . . . , a„_i6„_i), symbols << and >> denote cyclic 
shifts, and C = sqrt_perm(D) denotes the permutation of coordinates given by 

C2imodn = di, < i < 71. 

Next, we apply the above algorithms to multiplication in the finite field 
GF(g™'). Three cases are considered: the general case (cyclotomic rings), and 
the two particular cases of finite fields with type-I and type-II ONBs. 

A) Cyclotomic rings 

This is the more general case (fields are rings with multiplicative inverses) and 
so we must use Algorithm 1 or Algorithm 2 in full. 

Example 3. GF(2^) is isomorphic to a subring of GF[a;]/(a;^ + 1) and so a finite 
field element can be written in the redundant representation as A = ao + 
ai/5 + a2/9^. An isomorphism is given by the embedding ^ 0, 1 ^ P + P"^, 
a ^ 1 + f3 and 1 + a — *> 1 + /9^, where the former is an element of GF(2^) in 
polynomial representation and the latter a ring element. Table 3 shows the 
operations that must be done in a multiplication when using this redundant 
representation. 



B) ONB-I 

Some cyclotomic fields can be easily introduced by the normal bases generated by 
the Gauss periods and, by doing so, one can find the relation/conversion between 
the redundant basis and the normal basis. In these cases, we can used Algorithms 
1 and 2 (the latter without lines 3 and 5). 



J = l 

J = 2 
C = AB 


aobo 
+ {aib4 + 6104) 

+ (02^3 + ^203) 

= Co 


ai6i 
+ (a2&o + &2ao) 

+ (03^4 + &3«4) 

= C2 


a2&2 
+ (a36i + 6301) 
+ (a46o + &4ao) 

= C4 


asbs 
+ (a462 + &4a.2) 
+ (ao&i + boai) 

= Cl 


a464 
+ (ao63 + boa^) 
+ {aib2 + bia2) 

= C3 






(a) 






J = l 

J = 2 

C = AB 


(ai + 04) 

x(6i + 64) 
+ (02 + 03) 

x(62 + fc3) 
= Co 


(02 + ao) 
x{b2 + bo) 
+ (03 + 04) 

x(63 + &4) 
= C2 


(03 + ai) 

X{b3 + bi) 

+ (a4 + ao) 
x{b4 + bo) 

= C4 


(a4 + a2) 

x(64 + &2) 

+ (ao + ai) 
x(6o + &i) 

= Cl 


(ao + as) 
x(6o + fe3) 
+ (ai + a2) 
x{bi + b2) 

= C3 
















;b) 













Table 4: Multiplication in a type-I ONB (example 4). (a) Algorithm 1. (b) 
Algorithm 2. 



A type-I ONB can be always generated by a Gauss period of type (m, 1). This 
case is considered in [7], [8], [1], [10], [IS], [II], [I5], [I6], [18]. Here, n = m + 1, 
and a basis for GF(g'") is [/3, /9^, . . . , f5"^] (which is a permutation of the normal 
basis [P'^ , /S*^ , • • • , /S'^'" ])• The correspondence between finite field elements and 
cyclotomic field elements is given by 



aip + a2p^ + ■■■ + amp"" — > • 1 + ai/5 + a2p'^ + ■■■ + amP"", 

(ai - ao)P + (a2 - ao)/?^ H h (a^ - ao)/?"" < — 

< — ao ■ 1 + aiP + a2/5^ H h a„/?™. 



(22) 



Example 4. The Gauss period (4, 1) generates an embedding of GF(2^) in the 
cyclotomic field GF'-^^ Table 4 shows the operations that must be done in 
a multiplication using Algorithms 1 and 2. 

Equations (TT8|) and (!20|) can be simplified in this case since ao = bo = 0. 
We can also subtract co to ci, C2, ..., Cm in accordance with the mapping (1221) . So 
equation (ITSl) simplifies to 



^' = E 



j=i 



r + ajfoi + 



E 



{(^i+j'^i—j ~r "ij^jai—j J 



)P 



2i 



j ^ i,j ^ m+ 1 -i 



(23) 



where r = — Z]j'=i o,jbm+i-j + bjam+i-j and C" = I]j'!Li(cj — co)/9*. Also, equation 
fl2U]) simplifies to 



10 



c'=y: 



i=l 



t + 2aihi + a2ih2i + 



E 



(oi+j + ai-j){bi+j + bi-j) 



}P' 



2i 



J 5^ j,j ^ m + 1 -i 



where t = - EJ=i(«j + am+i-j)(&i + &m+i-j)- 
C) ONB-II 



(24) 



A Gauss period of type (m, 2) with n = 2m + 1 generates a type-II ONB. This 



case considered in [TO 



18], [19], [20]. From equation 



7" 



/3« + 



^2m+i g'^ ^^^ gQ^ g^ mapping between finite field elements and cyclotomic field 
elements can be written as. 



aiP + a2p'^ + ■■■ + a^P"" — > 
— > ■ 1 + ai/5 + 02/32 + • • • + a^/?'" + a„,/3'"+^ + a^_i/?"^+2 + ■ ■ ■ + ai/J^™, 

(ai - ao)P + (02 - ao)P'^ H h (a,„ - oo)/?'" < — 

< — ao + a^P + 02/?' + ■ ■ ■ + a^/3"^ + a„/3™+i + a^_i/?'"+2 + . . . + a^p2m_ 

(25) 
Again, [/?^, /J^, . . . , /3™] is a permutation of the coefficients of the normal basis. 
In the particular case of GF(2™'), coordinate Oq in (l25l) is always zero. 

Example 5. The Gauss period (3, 2) generates an isomorphism between GF(2^) 
and GF'^-*. The data-fiow of the multiplication is showed in Table 5. In this 
table, we show the pairs of coordinates over which arithmetic operations 
are to be performed. 

Representation given by fl25|) has some redundancies which can be eliminated. 
First, coordinates Ci,C2, ■ ■ ■ ,Cm are obtained twice, but it can be easy avoided. 
Applying this simplification to equation flTSl) . we obtain. 



i=0 [ i=l 

where the indexes must be read modulo 2m + 1, and 



(26) 



s\i 



i ii < i < m 

2m + 1 — i ifm + l<i< 2m,. 



(27) 



We can also subtract Cq to Ci, C2, ..., c^ in accordance with the mapping (12^ . 
Also, since oq = 60 = 0, equation (12BI1 can be simplified to 



11 



J = l 

J = 2 
J = 3 


(1,1) 
(2,2) 
(3,3) 


(2,0) 
(3,1) 
(3,2) 


(3,1) 
(3,0) 
(2,1) 


(3,2) 
(2,1) 
(1,0) 


(2,3) 
(1,2) 
(0,1) 


(1,3) 
(0,3) 
(1,2) 


(0,2) 
(1,3) 
(2,3) 


C = AB 


Co 


C2 


C3 


Cl 


Cl 


C3 


C2 




(a) 






J = l 
J = 2 
J = 3 


(2,0) 
(3,1) 

(3,2) 


(3,1) 
(3,0) 
(2,1) 


(3,2) 
(2,1) 
(1,0) 






(17 = A5 


C2 


C3 


Cl 





(b) 



Table 5: Data-flow of multiplication in a type-II ONB (example 5). (a) Original. 
(b) Simplified. 



C = ^{'iy + as{i)bs(i) + Y. {as(i+j)bs(i-j) + &s(i+i)as(i~j)) } I3'^'^'\ (28) 



j=i 



where y = - Ef=i «,&, and C = E™i(c. - Co)/3\ 

Second, since the data-fiow matrix of equation (128|) is symmetric, it is only 
necessary to compute the diagonal and the upper triangular submatrices. In a 
similar way, equation (120|) can be written as 



C = Y<^^y + 2aibi + as(2i)hs(2i)+ X! ('^^(i+i) + cts(i-i))(&s(i+i) 



s(«-i)> 



3S(2J) 



j=i 



(29) 

Equations ([2SD, HMD, (EHD and ([22]) can be applied to GF(g'") with q prime. 
For comparison, we will consider the particular case of GF(2™') and other multi- 
pliers as shown in Table 6. This table shows the number of bit operations of these 
multipliers and the time complexity of multipliers in bit-parallel implementation. 
The multiplier of [13] is considered to be the first such work published in the open 
literature, multipliers of [S], [B], [101 use redundant representation, and those of 
[Ti] . |17j . [IB], [20] are more recent work and have the best results among the 
known existing ones. 

For multiplication in finite fields using cyclotomic rings. Algorithm 1 requires 
the same number of arithmetic operations compared to previously published mul- 
tipliers, while Algorithm 2 requires approximately half the number of AND oper- 
ations at the expense of extra XOR operations. For multiplication in finite fields 
with type-1 and type-II ONBs, equations ([2S]), (ED, (EHD and ([2SD require a total 
number of operations equal to that of best results known multipliers. 
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Multiplier 


#AND 


#XOR 


Total 


Critical path 


Rings, Alg. 1 


n^ 


ri'' — n 


2n^ - n 


Ta + riogjnlTx 


Rings, Alg. 2 


(n2-Hn)/2 


(3n2 - n)/2 - 1 


2r?-l 


Ta + {1+ \\og^n\)Tx 


Rings, redundant [5], [6] 


n2 


2 

n — n 


2r? -n 


Ta + [loganlTx 


ONB-I, Alg. 1 


m^ -1- 2m + 1 


m'' + rri 


2m^ + 3m -1- 1 


Ta + \\og^{m + l)'\Tx 


ONB-I, Alg. 2 


(m^ -(- m)/2 


(3m2 + m - 2)/2 


2m2 -f m - 1 


Ta + riog2(m-l)lTx 


ONB-I, Eq. l|23| 


2 

m 


2 1 

m — 1 


2m2 -1 


Ta + {1+ [log^im - 1)])Tx 


ONB-I, Eq. ll24|| 


(m2 -H m)/2 


(3m2 - m)/2 - 1 


2m2 -1 


Ta + {1+ riog2(m-l)])Tx 


ONB-I, redundant [lOJ 


m^ + m 


m'^ + m 


2m2 -1- 2m 


Ta + (1+ riog2(m-l)])Tx 


ONB-I, [13] 


m2 


2m? - 2m 


Sm^ - 2m 


TA + {l+riog2(m-l)l)Tx 


ONB-I, [n],[l8] 


m2 


m2-l 


2m2 - 1 


Ta + (1 -f riog2(m- 1)1 )Tx 


ONB-I, IH 


(m^ -1- m)/2 


(3m2 - m)/2 - 1 


2m2 - 1 


TA-H{l+riog2(m-l)l)Tx 


ONB-II, Alg. 1 


2m''' +m 


2m^ 


4m*^ -1- m 


Ta + riog2(2m + l)lTx 


ONB-II, Alg. 2, Eq. ll26|l 


m2 


'im? — m 


4m^ — m 


TA + {l + \log2m'])Tx 


ONB-II, Eq. ^ 


m2 


(3m^ - 3m)/2 


(5m2 - 3m)/2 


Ta + \log2(2m - l)]Tx 


ONB-II, Eq. (|29| 


(m? + m)/2 


2m^ - 2m, 


(5m2 - 3m)/2 


Ta + \log2(2m - l)]Tx 


ONB-II, redundant \W\ 




m^ 


2m? — m, 


3m^ — m 


Ta + {l + llog2 m-])Tx 


ONB-II, [13J 


m2 


2m2 - 2m 


3m2 - 2m 


Ta + {1+ riog2(m-l)])Tx 


ONB-II, [18], [20] 


m2 


(3m2 - 3m)/2 


(5m2 - 3m)/2 


Ta + {1+ [logamDTx 


ONB-II, [14] 


(m^ -1- m)/2 


2m2 - 2m 


(5m2 - 3m)/2 


TA + riog2{2m-l)lTx 



Table 6: Comparison of GF(2'^) multipliers. 

5 Conclusions 

In this paper we have presented an unified formulation for multiplication in cy- 
clotomic rings and fields. From this formulation we can generate optimized algo- 
rithms for multiplication. The algorithms are quite generic in the sense that they 
are not restricted to any special type of ground field. Moreover, in our algorithms, 
most arithmetic operations are done on vectors. One of the proposed algorithms 
requires approximately half the number of coordinate-level multiplications com- 
pared to the conventional algorithm for multiplication in cyclotomic rings/fields. 
Although this is achieved at the expense of extra coordinate-level additions, the 
total number of operations is only slightly higher than that of the conventional 
algorithm. Hence, the proposed algorithm is advantageous for ground fields in 
which multiplication is more costly than addition. 

Our method has been applied to the finite fields GF(g'^) to further reduce the 
number of operations. We then presented optimized algorithms for multiplication 
in finite fields with ONBs of type-I and type-II. In the particular case of GF(2"') 
and compared to best results known multipliers in GF(2™), these proposed ones 
require the same number of arithmetic operations. 
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